Bug 8291 - claws-mail-plugins new security issue CVE-2012-5527
: claws-mail-plugins new security issue CVE-2012-5527
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/527917/
: has_procedure mga2-32-OK mga2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-12-04 00:13 CET by David Walser
Modified: 2013-01-18 01:38 CET (History)
4 users (show)

See Also:
Source RPM: claws-mail-plugins
CVE:
Status comment:


Attachments

Description David Walser 2012-12-04 00:13:45 CET
The flaw is in the vCalendar plugin and was fixed upstream in November.  It looks like it was fixed in 3.9.0, but I'm not 100% sure.  If so, it would only impact Mageia 2.  It looks to be a pretty low impact/severity issue, so we could possibly just check a patch into SVN and not issue an update right away.

The RedHat bug has some good references:
https://bugzilla.redhat.com/show_bug.cgi?id=877372
Comment 1 Julien Moragny 2012-12-04 21:09:07 CET
Hi,

It impacts cauldron as well. I just pushed 3.9.0-2 with the upstream patch to fix this in cauldron.

I also pushed an update to updates_testing for mga2 but I messed up the release tag (2.1 instead of 1.2). I will ask sysadm to remove the packages.
Comment 2 David Walser 2012-12-30 01:30:46 CET
claws-mail-plugins has been removed from updates_testing, so you may fix the release tag and resubmit.

Also, I just noticed that the name of the PDF viewer plugin doesn't quite match in mga2 and Cauldron.  In mga2 it has an underscore, which seems to be correct and consistent with the way the other subpackages are named, but in Cauldron it doesn't have the underscore.  I added it in mga2 when I had to update to 3.8.1 for a previous security update:
http://svnweb.mageia.org/packages/updates/2/claws-mail-plugins/current/SPECS/claws-mail-plugins.spec?r1=311823&r2=311825

I recommend renaming it in the Cauldron package.  If you don't want to, it needs to obsolete the mga2 one.
Comment 3 Julien Moragny 2013-01-02 20:06:04 CET
Thank you

Here is a proposal of advisory :

========================

Updated claws-mail-plugins packages fix security vulnerabilities:

A security flaw was found in the way vCalendar plug-in of Claws Mail displayed user credential information in the system tray display when using https scheme. A local attacker could use this flaw to obtain user credentials (username and password) used for connection to remote point. (CVE-2012-5527)


References:
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782
https://bugzilla.redhat.com/show_bug.cgi?id=877372

========================

Updated packages in core/updates_testing:
========================
claws-mail-acpi-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-address_keeper-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-attachwarner-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-att_remover-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-bsfilter-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-clamd-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-fancy-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-fetchinfo-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-gtkhtml2_viewer-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-mailmbox-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-newmail-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-notification-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-pdf_viewer-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-perl-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-plugins-debug-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-python-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-rssyl-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-spam_report-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-tnef_parse-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-vcalendar-plugin-3.8.1-1.2.mga2.x86_64.rpm
claws-mail-vcalendar-plugin-devel-3.8.1-1.2.mga2.x86_64.rpm


Source RPM: 
claws-mail-plugins-3.8.1-1.2.mga2.src.rpm
Comment 4 Julien Moragny 2013-01-02 20:24:19 CET
Regarding, pdf_viewer, I just pushed a package with the renaming, it was an error.
thanks
Comment 5 Julien Moragny 2013-01-02 20:28:24 CET
Hi QA,

I just pushed an update for claws-mail-plugins in mga2 updates_testing (see above for the advisory).

I don't have a way to easily test the update as it need a vcal server with https auth.
When you use this kind of server, when fetching, the systray icon should not display the credentials of the account (see upstream bug report for a screenshot).

thanks & regards.
Julien
Comment 6 David Walser 2013-01-03 20:44:46 CET
Patch checked into Mageia 1 SVN.
Comment 7 claire robinson 2013-01-11 16:44:12 CET
Testing complete mga2 32

Just loaded as many of the plugins as I could into claws and configured a random webcal calendar from the internet.

No errors after updating and vcalendar still works ok.
Comment 8 claire robinson 2013-01-17 11:59:39 CET
Testing mga2 64

Newmail plugin is not functional it gives an error when installed.

Error: No such file or directory
Plugin is not functional.
Comment 9 Julien Moragny 2013-01-17 19:08:13 CET
Hi,

thanks for the testing.

After investigation, Newmail plugin needs an existing Mail directory inside $HOME and doesn't create one if it isn't present before loading. I will raise a bug upstream.
Comment 10 Julien Moragny 2013-01-17 19:18:57 CET
and here it is
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2859
Comment 11 claire robinson 2013-01-17 20:12:17 CET
I've created a new mageia bug for it, bug 8725, it was the same in the version in updates.


It won't hold up this update.
Comment 12 claire robinson 2013-01-17 20:14:54 CET
Other than newmail everything seems fine so testing complete mga2 64

Validating

Advisory & srpm in comment 3

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 13 Thomas Backlund 2013-01-18 01:38:26 CET
Updaate pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0014

Note You need to log in before you can comment on or make changes to this bug.